W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2002

Re: Introductory article about XML Signatures and Best Practices

From: John Messing <jmessing@law-on-line.com>
Date: Sat, 14 Dec 2002 11:14:17 -0500
Message-Id: <200212141114.AA342360580@law-on-line.com>
To: <w3c-ietf-xmldsig@w3.org>

These types of discussions have been considered by lawyers and technologists working within the American Bar Association. To summarize views as a lawyer:

Proof of origin is established by a digital signature. Where XML is signed, this function is performed by XML DSIG.

Proof of non-tampering is established by the same source.

Proof of content can be further established by a trusted timestamping authority.

Proof of intent (the subject of this posting) is best determined from the social and human context rather than any automated means such as a certificate non-repudiation bit. To add to the ideas of the posting, how does one distinguish an autograph from a signature intending to bind a person to a document, either in the paper world or the electronic world? The answer is look at the content. What was said? But that is not a signature function, it is a legal construction issue based upon the objective expression of human intent, indicating the posting is really off-topic for XML Signatures.

The last piece of the puzzle is to bind the human identity of the subscriber to the private key which was used to sign the XML. This establishes the identity of the person over and above the machine or network location of the machine or device which was used to sign.

In the eNotary TC of LegalXML Oasis, this issue is being vetted with a goal to creating a syntax that can be included within the signed XML data or an X-509 certificate extension (or both) in order to provide a shorthand way to express equivalent or disparate registration procedures employed by various RA's and their legal significance in machine readable ways. This is intended to enable relying parties to "mix and match" brands and types of certificates in order to perform their due diligence and reduce their own liability in connection with certificate usage.

With these points covered, XML digital signatures can be made a perfectly appropriate means for creating electronic signatures on XML data for any and all legal purposes.

Best regards and holiday wishes to all.

John Messing
Attorney at law
Chair, eNotary TC, LegalXML Oasis
Chair, eFiling Committee, American Bar Association

---------- Original Message ----------------------------------
From: "David Wall" <dwall@Yozons.com>
Date:  Fri, 13 Dec 2002 20:39:50 -0800

>
>How close is the XML Signature standard to being a great foundation for
>electronic signatures.  As you specify in your article, a digital signature
>on data does not make an electronic signature, and it's not clear that the
>XML Signature using digital signatures really is appropriate as an
>electronic signature standard.  After all, they are not the same (see Bruce
>Schneier's Cryptogram on this at
>http://www.counterpane.com/crypto-gram-0011.html#1)
>
>What I mean is that digitally signing something really means that it came
>from the party and has not been tampered with.  Automated tools using XML
>Signatures enable the automatic validation of such data (in XML format,
>obviously), and this can be quite useful (ensuring the data integrity and
>fact it came from me, for example, could be very useful).  But this is more
>like a checksum with identity than an electronic signature which implies
>that I am legally binding myself to what the data implies (such as for a
>contract, agreeing to abide by the terms therein).
>
>Aside from highly automated transactional systems (such as order entry), it
>seems that most XML Signatures won't really be electronic signatures as
>validating a signature on a contract clearly is insuffient (so automation
>may not really help) -- it's more important to know what is being agreed to
>than that it was agreed to, so the content is priority one, followed by the
>signature.
>
>For example, assuming that I had a Word, PDF or HTML file that I'd like to
>sign because that file contains a contract.  What is the substantial value
>of having this signed using XML Signature?  An automated system clearly
>could accept this XML data and validate the digital signature, but what was
>agreed to?  Did I agree to to fulfill a consulting job for $200 an hour over
>the next 100 days, or was it $100 and hour over the next 200 days.  Even
>this example results in the same "total cost" but changes the delivery time
>by a factor of 2x and means you won't have your results in the next quarter!
>
>I guess the gist of my question revolves around the fact that I see the true
>value of digital signatures.  I see the true value of being able to
>automatically verify them, especially to ensure that orders (for example)
>are originals and come from a known entity (assuming I use my own copy of
>the sender's public key and not just the public key embedded inside the XML
>signature).  But is this overkill or really necessary for electronic
>signatures which imply agreement over the terms expressed within, rather
>than just saying the data has not been tampered with and it's from me?  When
>sending a message that reports on a terrorist attack, for example, or
>describes how to make a bomb, it's one thing for someone to know that I sent
>it and it's the original such as using PGP or S/MIME email, and quite
>another to say that I agree or otherwise want to be legally bound to the
>ideas expressed within.
>
>David Wall
>
>
Received on Saturday, 14 December 2002 11:25:45 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT